TrojanSpy.Win32.TRICKBOT.TIGOCDC

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It injects its dropped file/component to specific processes.

It steals certain information from the system and/or the user.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

This malware arrives via the following means:

• Downloaded by Worm.JS.DLOADR.AA

Installation

This Trojan Spy drops the following copies of itself into the affected system and executes them:

• %ProgramData%\АахХееаВеАКе.exe
• %Application Data%\mslibrary\АахХееаВеАКе.exe

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %Application Data%\mslibrary\settings.ini → Contains Encrypted Victim Key
• %Application Data%\mslibrary\Data\injectDll32 → Encrypted module that monitors banking-related URLs and/or websites
• %Application Data%\mslibrary\Data\networkDll32 → Encrypted module that steals network information
• %Application Data%\mslibrary\Data\psfin32 → Encrypted module that identifies Point-Of-Sale systems within the network
• %Application Data%\mslibrary\Data\pwgrab32 → Encrypted module that steals information from Internet Browser Applications, WinSCP, FileZilla, and Microsoft Outlook
• %Application Data%\mslibrary\Data\systeminfo32 → Encrypted module that steals information regarding the infected machine
• %Application Data%\mslibrary\Data\injectDll32_configs\dinj → Encrypted list of banking-related URLs and/or websites to monitor
• %Application Data%\mslibrary\Data\injectDll32_configs\dpost → Encrypted list of C&C servers that will receive the HTTP response to and from the monitored URLs and/or websites
• %Application Data%\mslibrary\Data\injectDll32_configs\sinj → Encrypted list of banking-related URLs and/or websites to phish
• %Application Data%\mslibrary\Data\networkDll32_configs\dpost → Encrypted list of C&C servers that will receive the stolen network information
• %Application Data%\mslibrary\Data\psfin32_configs\dpost → Encrypted list of C&C servers that will receive information from PoS systems
• %Application Data%\mslibrary\Data\pwgrab32_configs\dpost → Encrypted list of C&C servers that will receive the credentials

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• svchost.exe (multiple instances)

It creates the following folders:

• %Application Data%\mslibrary
• %Application Data%\mslibrary\data

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It injects its dropped file/component to the following processes:

• created svchost.exe instances

Information Theft

This Trojan Spy steals the following information:

• OS information (Architecture, Caption, CSDVersion)
• CPU Information (Name)
• Memory Information
• User Accounts
• Installed Programs
• Installed Services
• IP Configuration
• Network Information (Configuration, Users, Domain Settings)
• Credentials in the following Applications:
  • Microsoft Outlook
  • PuTTy
  • Filezilla
  • Remote Desktop (RDP)
  • VNC
  • WinSCP
• Internet Browser Credentials (Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox):
  • Usernames and Passwords
  • Internet Cookies
  • Browsing History
  • Autofills
  • Credit card data
  • Billing info data
  • HTTP Posts responses
• Information regarding Point-Of-Sale (POS) systems in the network, by querying accounts or user name containing the following string:
  • *POS*
  • *REG*
  • *CASH*
  • *LANE*
  • *STORE*
  • *RETAIL*
  • *BOH*
  • *ALOHA*
  • *MICROS*
  • *TERM*

Other Details

This Trojan Spy connects to the following website to send and receive information:

• http://{BLOCKED}.{BLOCKED}.117.187:8082
• http://{BLOCKED}.{BLOCKED}.243.70:8082
• http://{BLOCKED}.{BLOCKED}.180.226:8082
• http://{BLOCKED}.{BLOCKED}.105.206:8082
• http://{BLOCKED}.{BLOCKED}.160.10:8082
• http://{BLOCKED}.{BLOCKED}.16.77:80
• http://{BLOCKED}.{BLOCKED}.90.242:80
• http://{BLOCKED}.{BLOCKED}.48.54:80
• http://{BLOCKED}.{BLOCKED}.125.162:80
• http://{BLOCKED}.{BLOCKED}.238.3:80
• http://{BLOCKED}.{BLOCKED}.255.32:443
• http://{BLOCKED}.{BLOCKED}.253.94:443
• http://{BLOCKED}.{BLOCKED}.117.27:443
• http://{BLOCKED}.{BLOCKED}.116.120:443
• http://{BLOCKED}.{BLOCKED}.117.36:443
• http://{BLOCKED}.{BLOCKED}.144.61:443
• https://{BLOCKED}.{BLOCKED}.77.248:446
• https://{BLOCKED}.{BLOCKED}.56.26:449
• https://{BLOCKED}.{BLOCKED}.97.141:447
• http://{BLOCKED}.{BLOCKED}.144.61:443

It does the following:

• Disables Windows Defender and lowers down machine security by executing the ff. commands:
  • sc stop WinDefend
  • sc delete WinDefend
  • powershell Set-MpPreference -DisableRealtimeMonitoring $true
  • powershell Set-MpPreference -DisableBehaviorMonitoring $true
  • powershell Set-MpPreference -DisableBlockAtFirstSeen $true
  • powershell Set-MpPreference -DisableIOAVProtection $true
  • powershell Set-MpPreference -DisablePrivacyMode $true
  • powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
  • powershell Set-MpPreference -SevereThreatDefaultAction 6
  • powershell Set-MpPreference -LowThreatDefaultAction 6
  • powershell Set-MpPreference -ModerateThreatDefaultAction 6
  • powershell Set-MpPreference -DisableScriptScanning $true
• Monitors the following banking-related URLs and/or websites:
  • *.blilk.com/Core/Authentication/MFA*
  • *.bnc.ca*
  • *.com/fi*/bb/*
  • *.com/fi*/bb/favicon.ico?*
  • *.com/fi*/pb/*
  • *.com/fi*/pb/favicon.ico?*
  • *.com/fi*/retail/*
  • *.com/fi*/retail/favicon.ico?*
  • *.com/fnfg/retail/*
  • *.com/fnfg/retail/favicon.ico?*
  • *.com/pub/html/favicon.ico*
  • *.com/pub/html/login.html*
  • *.com/SPF/Login/Auth.aspx*
  • *.com/SPF/Login/favicon.ico?*
  • *.de/de/home.html
  • *.de/de/home.html*
  • *.de/de/home/*.html*
  • *.ebanking-services.com/*.asp*
  • *.ebanking-services.com/*/*favicon.ico*
  • *.onlinebank.com/*/AOP/*.aspx*
  • *.onlinebank.com/*/AOP/favicon.ico?*
  • */Accounts/AccountOverview.asp*
  • */Authentication/Login*
  • */banking-private/entry*
  • */banking-private/portal*
  • */bbw/cmserver/welcome*
  • */business/cts_security_precheck*
  • */business/j_security_check*
  • */business/login/Login.jsp*
  • */de/home/aktionen/*.html*
  • */de/home/firmenkunden/*.html*
  • */de/home/login-online-banking.html*
  • */de/home/misc/*.html*
  • */de/home/online-filiale/*.html*
  • */de/home/privatkunden/*.html*
  • */de/home/service/*.html*
  • */de/home123123123*
  • */EBC_EBC1961/*
  • */getq/1527163537124692/qZaiUryN1C*
  • */getq/1527612058812310/iNmHc4XOcV*
  • */getq/1560517266156622/KpLcbTeB5n*
  • */getq/1563624318226669/M38S2K9clJ*
  • */home/onlinebanking/*.html*
  • */iytdr56ygc567ygtyhgyukiu654efgh/*
  • */onlineserv/CM*
  • */q1MPVi7phg/swap*
  • */rcrd/1527161983056830*
  • */rcrd/1527162060949058*
  • */rcrd/1527162392678761*
  • */rcrd/1527162502077171*
  • */rcrd/1527162575196753*
  • */rcrd/1527162620975004*
  • */rcrd/1527162953804588*
  • */rcrd/1527163053741552*
  • */rcrd/1527163537124692*
  • */rcrd/1527164097084304*
  • */rcrd/1527164139852253*
  • */rcrd/1527164275923785*
  • */rcrd/1527164294934631*
  • */rcrd/1527164442360306*
  • */rcrd/1527164640571442*
  • */rcrd/1527164985687384*
  • */rcrd/1527165088325262*
  • */rcrd/1527170714082509*
  • */rcrd/1527171026496719*
  • */rcrd/1527171294563071*
  • */rcrd/1527171438710910*
  • */rcrd/1527173297891530*
  • */rcrd/1527612058812310*
  • */rcrd/1527784817476992*
  • */rcrd/1528137865954561*
  • */rcrd/1528138508409624*
  • */rcrd/1529299416322016*
  • */rcrd/1529423905024754*
  • */rcrd/1530558791571849*
  • */rcrd/1530801754727167*
  • */rcrd/1531737415491610*
  • */rcrd/1532632040841589*
  • */rcrd/1533288334964186*
  • */rcrd/1533809766692683*
  • */rcrd/1534870214732286*
  • */rcrd/1535723065134935*
  • */rcrd/1535730754439313*
  • */rcrd/1536081411070630*
  • */rcrd/1536176590679564*
  • */rcrd/1536679059633197*
  • */rcrd/1537463849851121*
  • */rcrd/1538078076441901*
  • */rcrd/1538496844367198*
  • */rcrd/1538497062765600*
  • */rcrd/1542815273992904*
  • */rcrd/1543510882809493*
  • */rcrd/1543511555715803*
  • */rcrd/1543512054283274*
  • */rcrd/1543516849861476*
  • */rcrd/1543518475901885*
  • */rcrd/1543518759414830*
  • */rcrd/1543519166768558*
  • */rcrd/1543519607339755*
  • */rcrd/1543519778460207*
  • */rcrd/1543522441996439*
  • */rcrd/1545235830343997*
  • */rcrd/1547738007155673*
  • */rcrd/1548766537307202*
  • */rcrd/1548836629102091*
  • */rcrd/1549887949529075*
  • */rcrd/1549888110656100*
  • */rcrd/1549888200260006*
  • */rcrd/1549888496965530*
  • */rcrd/1549968469842314*
  • */rcrd/1550477535863381*
  • */rcrd/1550477972471512*
  • */rcrd/1550479971917479*
  • */rcrd/1550481775969129*
  • */rcrd/1550482073370297*
  • */rcrd/1550482343625533*
  • */rcrd/1550482445763158*
  • */rcrd/1550482741307281*
  • */rcrd/1550482874762402*
  • */rcrd/1550483473369256*
  • */rcrd/1550484138478750*
  • */rcrd/1550484235517088*
  • */rcrd/1550484331776021*
  • */rcrd/1550484422643704*
  • */rcrd/1551276554703372*
  • */rcrd/1551278232078488*
  • */rcrd/1551806506056371*
  • */rcrd/1552041452636481*
  • */rcrd/1553268997921074*
  • */rcrd/1553272366261807*
  • */rcrd/1553272786902342*
  • */rcrd/1553700641298959*
  • */rcrd/1553775145645188*
  • */rcrd/1553783739027513*
  • */rcrd/1554226626854288*
  • */rcrd/1554386753790741*
  • */rcrd/1556022323380659*
  • */rcrd/1556022719770184*
  • */rcrd/1556022865673162*
  • */rcrd/1556724644668813*
  • */rcrd/1559560065526144*
  • */rcrd/1559641634624663*
  • */rcrd/1559641748101529*
  • */rcrd/1559641989637272*
  • */rcrd/1560517266156622*
  • */rcrd/1562331272265065*
  • */rcrd/1563624318226669*
  • */wcmfd/wcmpw/CustomerLogin*
  • */wcmfd/wcmpw/favicon.ico*
  • *123tdbank.com123*
  • *53.com*
  • *amazon.*
  • *authentication.td.com*
  • *authmaint.td.com*index.html*
  • *banking-business/portal*
  • *banking-private/portal123*
  • *banking.fidor.de/smart-account
  • *banking.haspa.de/*OF
  • *banking.ing-diba.de/app/login*
  • *banking.ing-diba.de/app/obligo?x*
  • *banking.ing.de/app/login*
  • *banking.ing.de/app/obligo?x*
  • *banking.netbank.de/banking/session*
  • *banking.netbank.de/nbm/login/*
  • *banking.postbank.de/rai/crypt/*-*
  • *banking.postbank.de/rai/crypt/login*
  • *banking.sparda*.de/spm/?institut=*
  • *banking.sparda*.de/spm/login/*
  • *binance.com*
  • *bitfinex.com*
  • *bitstamp.net*
  • *blockchain.com*
  • *cey-ebanking.com/CLKCCM/*
  • *cibng.ibanking-services.com*
  • *coinbase.com*
  • *coinmarketcap.com*
  • *commerzbank.de/
  • *commerzbank.de/*.html*
  • *consorsbank.de/ev/Mein-Konto-und-Depot*
  • *corporatebankingweb/core/*
  • *cryptocompare.com*
  • *easyweb.td.com*
  • *efsllc.com/*
  • *engine/login/businesslogin*
  • *favicon.ico=01390a8c1c3cfb9918d799ad2a73dd84*
  • *favicon.ico=250717644273414e5c73a3c8997564da*
  • *favicon.ico=2dd2038048c763fc5f9174ae466cdb9c*
  • *favicon.ico=5326bab1f1f827912468392860f6eb14*
  • *favicon.ico=70e9ac7e38a9df5092783b632c859cc7*
  • *favicon.ico=74536be4f9c2db6ca8c01a8054e1338a*
  • *favicon.ico=843729ac35951a040681c469b4a89c0b*
  • *favicon.ico=8735fa9cc59a7353f49756e81c2b3908*
  • *favicon.ico=99f2a20d3dd8a354fbc8ed3a239f199f*
  • *favicon.ico=9d0cf5e88c1fbcc637b90b76128d6bb9*
  • *favicon.ico=a6009ccf2264af7978f45f2a332eb392*
  • *favicon.ico=a857aaab644de080328d45292893e479*
  • *favicon.ico=be7cd95e4b5e89eb1f1d895abab1ee71*
  • *favicon.ico=c8d027c1b29ac0def84ddfac56e682c8*
  • *favicon.ico=ce2bb103af1a10241de273caa885dbdd*
  • *favicon.ico=d73a726d92acc898bbbb175d3ab3337e*
  • *favicon.ico=f7205f82fdf9559db38d202eb9459348*
  • *favicon.ico=f7caf50483938302d86aa228d161e435*
  • *favicon.ico=ff358d7f67bc0f7e81b014655e34d0a5*
  • *fleetone.com*
  • *haspa.de/*/login
  • *haspa.de/*/welcome
  • *iccu.com*
  • *iconnectdata.com/*
  • *key.com123123*
  • *kraken.com*
  • *ksk-koeln.de/*aspx*
  • *kunde.comdirect.de/itx/*?execution=*
  • *kunden.commerzbank.de/banking/*financeoverview?*
  • *kunden.commerzbank.de/banking/*payments?*
  • *kunden.commerzbank.de/banking/*transactions?*
  • *kunden.commerzbank.de/banking/landingpage*
  • *kunden.commerzbank.de/lp/login*
  • *lzo.com/de/home.html
  • *lzo.com/de/home/*.html*
  • *meine.deutsche-bank.de*
  • *meine.deutsche-bank.de/trxm/db/
  • *meine.deutsche-bank.de/trxm/db/?lang=*
  • *meine.deutsche-bank.de/trxm/db/*
  • *meine.deutsche-bank.de/trxm/db/init.do*
  • *meine.deutsche-bank.de/trxm/db/invoke/*
  • *meine.norisbank.de/trxm/noris/init.do
  • *meine.norisbank.de/trxm/noris/invoke/*
  • *meine.postbank.de*
  • *my.hypovereinsbank.de/login?view=/de/login.jsp*
  • *netteller.com/login2008/Authentication*
  • *norisbank.de*
  • *ortal?bankid=*
  • *partnersfcu.org/OnlineBanking/*aspx*
  • *partnersfcu.org/OnlineBanking/AOP/favicon.ico?*
  • *paxful.com*
  • *pib*.secure-banking.com/*
  • *portal/*portal*
  • *secure.fundsxpress.com/piles/fxweb.pile/*
  • *secure.myvirtualbranch.com*
  • *securebank.santander*.de/IRALOG*/BtoChannelDriver*
  • *targobank.de/*/banque/*.aspx
  • *targobank.de/*/identification/*.cgi*
  • *timeout=*token*
  • *wpevent=loauto&timeout=*
  • *www.dkb.de/-*
  • *www.dkb.de/banking*
  • http*://*.bestbuy.com*
  • http*://*.costco.com*
  • http*://*.samsclub.com*
  • http*://*acc*desjardins.com*
  • https://*.bankofamerica.com*
  • https://*.de*abmelden*
  • https://*.de/*/entry*
  • https://*.de/banking-*/portal;*
  • https://*.de/banking-*/portal?*
  • https://*.de/de/home*
  • https://*.de/en/home*
  • https://*.de/portal/portal*
  • https://*.de/privatkunden/*
  • https://*.key.com/ibxolb/olb/index.html
  • https://*.my.commbank.com.au/netbank/Logon/Logon.aspx
  • https://*.my.commbank.com.au/netbank/PaymentHub/ConfirmDetails.aspx*
  • https://*.my.commbank.com.au/netbank/PaymentHub/MakePayment.aspx*sn-transfers-bpay
  • https://*.my.commbank.com.au/netbank/PaymentHub/PaymentReceipt.aspx*
  • https://*.my.commbank.com.au/netbank/TransactionHistory/Details.aspx*
  • https://*.my.commbank.com.au/netbank/TransactionHistory/History.aspx*
  • https://*.my.commbank.com.au/netbank/TransactionHistory/MerchantDetails.aspx*
  • https://*.my.commbank.com.au/netbank/TransactionHistory/NPPDetails.aspx*
  • https://*.netteller.com/favicon.ico?*
  • https://*.netteller.com/login2008/Authentication/Views/Login.aspx*
  • https://*.sparkasse.at/*.js
  • https://*.sparkasse.at/sPortal/sportal*
  • https://*.suntrust.com*
  • https://*.usbank.com/access/oblix/apps/webgate/bin/webgate.dll*
  • https://*.usbank.com/Auth/Login/LoginWidget
  • https://*/uux.aspx
  • https://*banking.berliner-bank.de/trxm*
  • https://*banking.sparda-*
  • https://*banking.sparda.de*
  • https://*banking.sparda.de/wps/loggedout.jsp
  • https://*cibc.com/*
  • https://*client.schwab.com/*
  • https://*comdirect.de/lp/wt/login*
  • https://*commerzbank.de*
  • https://*ebanking.bawagpsk.com/InternetBanking*
  • https://*geb.bankaustria.at/ga-gif-war/*
  • https://*kunde.comdirect.de*
  • https://*lms.schwab.com/Login*
  • https://*login.sparkasse.at/sts/oauth*
  • https://*meine.norisbank.de/trxm/noris*
  • https://*online.bankaustria.at/wps/*
  • https://*paypal.com/*
  • https://*ptlweb/WebPortal*
  • https://*raiffeisen*.at/group/club*
  • https://*raiffeisen*.at/group/private*
  • https://*raiffeisen*.at/logincenter*
  • https://*resize/resize_helper.html*
  • https://*royalbank.com/*
  • https://*runpayroll.adp.com/*
  • https://*secure.fundsxpress.com/*/favicon.ico?*
  • https://*secure.fundsxpress.com/*/fx?*
  • https://*secure.fundsxpress.com/favicon.ico?
  • https://*secure.fundsxpress.com/start/*
  • https://*tangerine.ca/app/*
  • https://*targobank.de*
  • https://accesd.mouv.desjardins.com/sommaire-perso/sommaire/detention*
  • https://access.jpmorgan.com/jpmalogon*
  • https://accountonline.citi.com/cards/svc/Login*
  • https://accweb.mouv.desjardins.com/identifiantunique/authentification*
  • https://accweb.mouv.desjardins.com/identifiantunique/identification*
  • https://accweb.mouv.desjardins.com/identifiantunique/securite*
  • https://allmyaccounts.bankofamerica.com/apps/*
  • https://bank.bbt.com/auth/kba_reg_update.tb?action=ZmV0Y2g=
  • https://bank.bbt.com/auth/kba_reg_update.tb*
  • https://bank.bbt.com/auth/pwd.tb*
  • https://bank.bbt.com/mfapp/web/myfi/home*
  • https://bank.bbt.com/mfapp/web/myfi/profile*
  • https://banking.firsttechfed.com/Authentication/ValidateUsernameAndPassword*
  • https://businessaccess.citibank.citigroup.com/cbusol/signon/signonOptions.action
  • https://businessonline.huntington.com/BOLHome/BusinessOnlineLogin.aspx
  • https://cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces*
  • https://chaseonline.chase.com/Logon.aspx*
  • https://chaseonline.chase.com/MyAccount*
  • https://chaseonline.chase.com/secure/CustomerCenter*
  • https://chaseonline.chase.com/secure/Profile/*
  • https://client.schwab.com/Accounts/Summary/Summary.aspx*
  • https://client.schwab.com/api/profile*
  • https://client.schwab.com/api/summary/account*
  • https://client.schwab.com/clientapps/accounts/summary/*
  • https://connect.secure.wellsfargo.com/accounts/start*
  • https://connect.secure.wellsfargo.com/auth/login/present*
  • https://espanol.chase.com/sdchaseonline/Logon*
  • https://espanol.chase.com/sdchaseonline/MyAccounts*
  • https://espanol.chase.com/sdchaseonline/secure/CustomerCenter*
  • https://espanol.chase.com/sdchaseonline/secure/Profile/*
  • https://express.53.com/portal/auth/login/Login123*
  • https://finapp.allmyaccounts.bankofamerica.com/finapp/*
  • https://fireline.firelandsfcu.org/User/AccessSignin/Password
  • https://fireline.firelandsfcu.org/User/AccessSignin/Username
  • https://global.americanexpress.com/api/servicing/v1/loyalty/details
  • https://global.americanexpress.com/dashboard*
  • https://global.americanexpress.com/login*
  • https://global.americanexpress.com/myca/logon/emea/action?request_type=LogonHandler*
  • https://ibx.key.com/mbl/api/auth/v1/users/securityquestions*
  • https://ibx.key.com/mbl/api/auth/v1/users/stepup/challenge/SECURITY_QUESTIONS/users.securityquestions
  • https://ibx.key.com/mbl/api/unauth/v1/users/login/password
  • https://intellix.capitalonebank.com/treasury-management-portal-web/appmanager/TresMgmtPortal/TreasuryManagement
  • https://invest.ameritrade.com/cgi-bin/apps/u/SecurityChange
  • https://invest.ameritrade.com/cgi-bin/apps/u/SecurityChange?pagehandler=PHSecurityQuestionChange
  • https://invest.ameritrade.com/grid/?/login
  • https://invest.ameritrade.com/grid/m/securityChallengeSetup
  • https://invest.ameritrade.com/grid/p/site
  • https://keynavigator.key.com/ktt/cmd/logon*
  • https://lms.schwab.com/Login*
  • https://login.ingbank.pl/mojeing/*
  • https://m.chase.com/*
  • https://mblogin.verizonwireless.com/amserver/UI/Login
  • https://my.navyfederal.org/NFOAA_Auth/login.jsp*
  • https://myaccounts.navyfederal.org/NFCU/accounts/accountsummary*
  • https://myapps.paychex.com/*_remote/*
  • https://ola.cu1.org/Authentication/Username
  • https://olb.bbvacompass.com/secure-auth/login*
  • https://olb.bbvacompass.com/secure-il/api/auth/public/signon*
  • https://olb.bbvacompass.com/secure/accountsummary*
  • https://onepass.regions.com/oaam_server/oamLoginPage.jsp*
  • https://online.americanexpress.com/myca/logon/us/action/LogLogonHandler*
  • https://online.citi.com/US/ag/ContactInfo*
  • https://online.citi.com/US/ag/mrc/*
  • https://online.citi.com/US/banking/citi*
  • https://online.citi.com/US/CBOL/ain/car*
  • https://online.citi.com/US/JPS/portal/*
  • https://online.citi.com/US/JRS/contactinfo/initialiseContactInfo*
  • https://online.citi.com/US/JRS/login*
  • https://online.citi.com/US/JRS/pands/*
  • https://online.citi.com/US/JRS/portal/*
  • https://online.citi.com/US/JSO/loginpage/retarget*
  • https://online.citi.com/US/JSO/signoff/*
  • https://online.citi.com/US/JSO/signon/ProcessUsernameSignon.do
  • https://online.citi.com/US/JSO/signon/uname/*
  • https://online.citi.com/US/login*
  • https://online.citi.com/US/NCAO/cli/flow*
  • https://online.citi.com/US/NCMF/csq/flow.action*
  • https://online.citi.com/US/NCMF/csq/ResetQuestions.do*
  • https://online.lloydsbank.co.uk/personal/primarylogin
  • https://online.simplii.com/ebm-resources*
  • https://onlinebanking.afcu.org/*/uux.aspx*
  • https://onlinebanking.mtb.com/
  • https://onlinebanking.mtb.com/Accounts/AccountSummary
  • https://onlinebanking.mtb.com/CustomerService/MyProfile
  • https://onlinebanking.mtb.com/CustomerService/MyProfileEdit
  • https://onlinebanking.mtb.com/Login/MTBSignOn
  • https://onlinebanking.suntrust.com/UI/ajax/clientservice/changeSecurityQA
  • https://onlinebanking.tdbank.com/
  • https://onlinebanking.tdbank.com/ngp_api/v1/security/user/session*
  • https://onlinebanking.usbank.com/*/CustomerDashboard/Index*
  • https://onlinebanking.usbank.com/*/IDShieldQAConfirm
  • https://onlinebanking.usbank.com/*/IDShieldQAReview
  • https://onlinebanking.usbank.com/*/MyProfile/AuthenticationPreferencesView*
  • https://onlinebanking.usbank.com/*/MyProfileDashboard/MyProfileDashboardIndex*
  • https://onlinebanking.usbank.com/*/SCIDShieldQA/IDShieldQA
  • https://onlinebanking.usbank.com/API/Auth/v1/IDShield/UpdateUserQuestions*
  • https://portal.discover.com/customersvcs/universalLogin/signin
  • https://secure.*/LookAndFeel/Common/images/common/share.png?favicon.ico*
  • https://secure.accurint.com/app/bps/main*
  • https://secure.ally.com/
  • https://secure.bankofamerica.com/administer-accounts/omni/card/v3/settings*
  • https://secure.bankofamerica.com/customer/manageContacts*
  • https://secure.bankofamerica.com/login/edit/sm/redirectSecurityCenter.go*
  • https://secure.bankofamerica.com/login/languageToggle.go
  • https://secure.bankofamerica.com/login/sign-in/entry/signOnV2.go*
  • https://secure.bankofamerica.com/login/sign-in/incoming/sitekeyWidgetScript.go*
  • https://secure.bankofamerica.com/login/sign-in/internal/entry/signOnV2.go*
  • https://secure.bankofamerica.com/login/sign-in/signOnScreen*
  • https://secure.bankofamerica.com/login/sign-in/signOnV2Screen.go*
  • https://secure.bankofamerica.com/login/sign-in/signOnV2Screen*
  • https://secure.bankofamerica.com/login/sign-in/validateChallengeAnswer*
  • https://secure.bankofamerica.com/login/sitekey/skmaint.go*
  • https://secure.bankofamerica.com/myaccounts/ao/accounts-overview.go*
  • https://secure.bankofamerica.com/myaccounts/brain/redirect.go?source*
  • https://secure.bankofamerica.com/myaccounts/brain/redirect.go?target=acc*
  • https://secure.bankofamerica.com/myaccounts/details/card*
  • https://secure.bankofamerica.com/myaccounts/details/deposit/account-balance-history.go*
  • https://secure.bankofamerica.com/myaccounts/details/deposit/account-details.go*
  • https://secure.bankofamerica.com/myaccounts/details/deposit/information-services.go*
  • https://secure.bankofamerica.com/myaccounts/signin/signIn.go*
  • https://secure.bankofamerica.com/myaccounts/signoff/signoff-default.go
  • https://secure.bankofamerica.com/mycommunications/statements/statement.go*
  • https://secure.bankofamerica.com/transfers/*
  • https://secure.halifax-online.co.uk/personal/a/logon/entermemorableinformation.jsp*
  • https://secure.lloydsbank.co.uk/personal/a/logon/entermemorableinformation.jsp*
  • https://secure*.chase.com/web/auth*
  • https://secure*.chase.com/web/auth/?fromOrigin=*
  • https://secure*.chase.com/web/auth/dashboard*
  • https://securentrycorp.amegybank.com/Authentication/zbf/k/_c*
  • https://securentrycorp.calbanktrust.com/Authentication/zbf/k/_c*
  • https://securentrycorp.nbarizona.com/Authentication/zbf/k/_c*
  • https://securentrycorp.vectrabank.com/Authentication/zbf/k/_c*
  • https://securentrycorp.zionsbank.com/Authentication/zbf/k/_c*
  • https://sellercentral.amazon.com/ap/signin*
  • https://sellercentral.amazon.com/gp/notifications/notification-widget-internals.html*
  • https://signon.navyfederal.org/siteminderagent/forms/nfcu.fcc
  • https://singlepoint.usbank.com/cs70_banking/logon/sbuser*
  • https://us.etrade.com/apiprospect/v1/market/client/remoteaddress.json
  • https://us.etrade.com/etx/hw/0/accountshome.json
  • https://us.etrade.com/webapiagg/aggregator
  • https://vacu.onlinebank.com/AOP/PasswordDesktop.aspx
  • https://vacu.onlinebank.com/login.aspx*
  • https://verified.capitalone.com/sic-ui/*
  • https://vesidm.verizonwireless.com/idm/open/idmlogin/validateAnswer?
  • https://vesidm.verizonwireless.com/idm/open/login/redirectToIdm
  • https://vesidm.verizonwireless.com/idm/secure/profile/indexPageInfo?
  • https://vesidm.verizonwireless.com/idm/secure/profile/main?
  • https://web*.secureinternetbank.com/EBC_EBC1961/EBC1961.ashx*
  • https://www.ally.ccservicing.com/CCServicing/Login.do*
  • https://www.ally.ccservicing.com/CCServicing/ProcessLogin.do*
  • https://www.ally.com/
  • https://www.altraonline.org/login/login.aspx?new=y
  • https://www.amazon.ca/*
  • https://www.amazon.ca/ap/signin
  • https://www.amazon.ca/gp/yourstore/home*
  • https://www.amazon.co.uk/*
  • https://www.amazon.co.uk/ap/signin
  • https://www.amazon.co.uk/gp/yourstore/home*
  • https://www.amazon.de/*
  • https://www.amazon.de/ap/signin
  • https://www.amazon.de/gp/yourstore/home*
  • https://www.bankofamerica.com/
  • https://www.bankofamerica.com/?*
  • https://www.bankofamerica.com/Control.do*
  • https://www.bankofamerica.com/homepage/overview*
  • https://www.bankofamerica.com/homepage/smallbusiness*
  • https://www.bankofamerica.com/index.jsp*
  • https://www.bankofamerica.com/onlinebanking/online-banking.go
  • https://www.bankofamerica.com/sitemap/hub/signin.go
  • https://www.bankofamerica.com/smallbusiness/
  • https://www.bankofamerica.com/smallbusiness/?*
  • https://www.bankofamerica.com/smallbusiness/online-banking.go
  • https://www.bbvacompass.com/
  • https://www.binance.com/login.html
  • https://www.binance.com/userCenter/balances.html
  • https://www.binance.com/userCenter/myAccount.html
  • https://www.capitalone.com/
  • https://www.centrum24.pl/centrum24-web/*?x=*
  • https://www.centrum24.pl/centrum24-web/crypt.*
  • https://www.centrum24.pl/centrum24-web/uep
  • https://www.chase.com/
  • https://www.chase.com/espanol
  • https://www.choicehotels.com/webapi/user-account/login
  • https://www.cibc.com/??/personal-banking*
  • https://www.cibc.com/??/small-business*
  • https://www.cibconline.cibc.com/ebm-resources/public/banking/cibc/client/web/*
  • https://www.cibconline.cibc.com/olbtxn/*
  • https://www.citi.com/credit-cards/*
  • https://www.grainger.com/checkLogin*
  • https://www.halifax-online.co.uk/personal/primarylogin
  • https://www.ipko.pl/
  • https://www.ipko.pl/secure/ikd3/index.html
  • https://www.ipko.pl/secure/ikd3/login.html
  • https://www.key.com/personal/index.jsp
  • https://www.lexisnexis.com/start/signin*
  • https://www.navyfederal.org/
  • https://www.onlinebanking.pnc.com/alservlet/*Transfer*Servlet*
  • https://www.onlinebanking.pnc.com/alservlet/AccountSwitcherServlet*
  • https://www.onlinebanking.pnc.com/alservlet/DepositActivityServlet*
  • https://www.onlinebanking.pnc.com/alservlet/LogoutServlet
  • https://www.onlinebanking.pnc.com/alservlet/MyAccountsServlet
  • https://www.pnc.com/*/personal-banking.html
  • https://www.simplii.com/en/home*
  • https://www.usaa.com/inet/ent_accounts/EntManageAccounts*
  • https://www.usaa.com/inet/ent_auth_pin/page/PinEntryPage*
  • https://www.usaa.com/inet/ent_auth_secques/answer*
  • https://www.usaa.com/inet/ent_home/CpHome*
  • https://www.usaa.com/inet/ent_logon/Logon*
  • https://www.usaa.com/inet/ent_memberprofile3/MemberProfileLandingPage*
  • https://www.walmart.com/?action=SignIn*
  • https://www.walmart.com/*
  • https://www.walmart.com/account/electrode/api/signin*
  • https://www.wellsfargo.com/
  • https://www*.bmo.com/onlinebanking/*
  • https://www*.royalbank.com/cgi-bin/rbaccess/*
  • https://www*.royalbank.com/wps/myportal/OLB/*
  • https://www*.scotiaonline.scotiabank.com/*
  • https*ebay.com*
  • https*wellsfargo.com*
  • *securebank.santander*.de/EBANDE*/BtoChannelDriver*
• The filename АахХееаВеАКе.exe contains unicode characters that resemble letters.

It adds the following scheduled tasks:

• Task Name: Ms dll libraries
• Task Action: %Application Data%\mslibrary\АахХееаВеАКе.exe
• Task Trigger: At System Startup & Every 9 minutes after first execution

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)